India Cloud Security and Compliance

Customers retain control and ownership over the data that they choose to store with AWS, they also choose the geographical region in which they store their content. AWS will not disclose or move your content unless legally required to do so.

Customers should review the Using AWS in the context of Common Privacy and Data Protection Considerations to understand the choices they need to make for maintaining privacy of the data they store on AWS. Customers can review the AISPL privacy page for information on AWS privacy policy for AISPL. AWS will only use customer account information in accordance with the Privacy Policy. The Privacy Policy does not apply to customer content.

Because AWS customers retain ownership and control over their content within the AWS environment, they also retain responsibilities relating to the security of that content as part of the AWS “shared responsibility” model. This Shared Responsibility Model is fundamental to understanding the respective roles of the customer and AWS in the context of privacy and data protection requirements that may apply to content that customer choose to store or process using AWS services.

• AWS’ data centers are state of the art, utilizing innovative architectural and engineering approaches. AWS has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
• AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.

• AWS is responsible for implementing and configuring the logical access controls for the underlying infrastructure that provide the services for use of the customer.
• Customers are responsible for configuring and implementing logical access controls for their half of the Shared Responsibility Model, which includes securing services that AWS provides to the customer such as IAM, MFA or the use of restrictive access control policies.
• AWS defined resources (ARN) can also have Access Control List policies applied to ensure that rules are consistently enforced and that enforcement exists on the resources regardless of the user attempting to access the resource.

AWS provides a number of services and features to help the customer secure their resources:

• Network Control via VPC:
• Security Groups
• NACLs
• Subnets
• Route tables
• Application Security Assessment:
• Amazon Inspector
• CloudHSM

• CloudTrail for an audit trail of all API activity on the AWS platform, allowing the customer to determine who took what action and from where.
• VPC Flow Logs for logging network flow
• Operating System and Application logs for activity on the instance.
• Cloudwatch Logs for processing VPC Flow logs, or on instance logs